Sourcefire FireAMP Brings Big Data Analytics to Enterprise Security

WEBINAR:On-Demand

Over the last several years, Sourcefire Inc. has been offering consumer-grade endpoint security as a complement to their enterprise-grade intrusion prevention technologies. Now Sourcefire is upping the ante with FireAMP, an enterprise-grade release of their endpoint security solution that leverages Big Data analytics technology to help enterprises protect and remediate endpoints from malware infection.

Al Huger, vice president of development in Sourcefire's Cloud Technology Group, explained to InternetNews.com that FireAMP isn't just about detection, it's about enabling enterprises with malware intelligence.

"We want to show you how things got in and where they went," Huger said. "We want to show what those things did and we want to give our users the ability to execute software and find out exactly what it does, so they can judge risk." After detection, the FireAMP system goes a step further by also giving enterprise administrators the ability to remove malware from every machine it has been detected on.

At the core of the FireAMP product is a significant amount of intelligence about what is going on in a given network. The FireAMP technology is an outgrowth of technologies that Sourcefire acquired from endpoint security vendor Immunet in 2011 for $21 million.

"We have to have a pretty detailed picture of your network and we need to know every single file operation that occurs on your network that we're interested in," Huger said.

That's where Sourcefire's cloud-based Big Data analytics engine comes into play. Sourcefire is already using a cloud-based approach for scanning in the consumer Immunet 3.0 technology.

"We have extensive exposure to Hadoop and we have several NoSQL implementations on the backend," Huger said. "We use Amazon and we have our own data centers as well a third-party data center."

Big Data also plays a key role in helping FireAMP with tracking a file or potential malware across a network.

"As long as we were installed, we see how it got there and what it did and we'll build a file trajectory," Huger said. "That's where the Big Data aspect comes in, the file operations are fairly numerous."

From the detection point of view, Sourcefire is leveraging bits from the open source ClamAV project, which the company helps lead.

Overall, from a malware detection perspective, Sourcefire isn't aiming to displace existing malware protection solutions in an enterprise. Rather, the goal is to complement those tools with additional scanning and analytics capabilities.

"We add an extra layer of detection and we do it by focusing on what we think other products will miss," Huger said.

Huger explained that FireAMP co-installs cleanly alongside most large antivirus solutions. FireAMP looks at the history of the cloud data that Sourcefire has collected, and then detects which products are failing to catch certain viruses in the field. Using that data, Sourcefire focuses on the areas where other products fail.

"We want to give a strong second opinion as well as looking into the dark cracks that others might be missing," Huger said.